KSI-SVC-VRI—Validating Resource Integrity
Formerly KSI-SVC-05
>Control Description
>NIST 800-53 Controls
>Trust Center Components4
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express software integrity through SLSA framework compliance — build provenance tracked and verified at each pipeline stage, code signing enforced via policy engines, and SBOM generated automatically from build manifests. Supply chain integrity becomes a measurable, verifiable property with signed attestations.
Software Integrity Verification
Code signing, artifact verification, and supply chain integrity controls — enforced at each pipeline stage
Build Pipeline Security
Architecture expressing secure build pipeline with integrity checks at each stage — SLSA framework compliance
Integrity Policy Enforcement
Automated enforcement of integrity requirements — unsigned artifacts blocked from deployment, provenance verified before promotion
SBOM and Dependency Management
Machine-readable SBOM with dependency vulnerability tracking — generated from build pipelines
>Programmatic Queries
CLI Commands
gh api repos/{owner}/{repo}/dependency-graph/sbom --jq '.sbom.packages[] | {name: .name, version: .versionInfo}' | head -30gh api repos/{owner}/{repo}/dependabot/alerts --jq '.[].{package: .security_advisory.summary, severity: .security_advisory.severity, state: .state}' | head -20>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does cryptographic integrity validation cover all machine-based resource types — container images, VM images, application binaries, IaC templates, configuration files, and firmware?
- •Are there resource types where integrity validation is not performed, and how are those exceptions documented and justified?
- •How do you ensure integrity baselines are established for all resources at a known-good state, and updated only through approved change processes?
- •Does integrity validation extend to resources in all environments (production, staging, DR) and all deployment stages (build, deploy, runtime)?
Automation & Validation:
- •What automated mechanisms validate resource integrity — image signing verification, file integrity monitoring (FIM), signed artifacts in CI/CD pipelines?
- •What happens when integrity validation detects a resource that does not match its cryptographic baseline — is it quarantined, blocked from execution, or only alerted?
- •How do you detect if an attacker modifies a resource and updates the hash to match — do you use signed baselines with protected signing keys?
- •How frequently is runtime integrity validation performed, and what is the maximum time between a resource being tampered with and detection?
Inventory & Integration:
- •What tools perform integrity validation (Sigstore/cosign for containers, AIDE/OSSEC for file integrity, code signing for binaries)?
- •How do integrity baselines integrate with your CI/CD pipeline to ensure only signed, validated artifacts are deployed?
- •What PKI or signing infrastructure supports resource integrity validation, and how are signing keys protected?
- •How does integrity validation integrate with your SIEM to alert on and investigate integrity failures?
Continuous Evidence & Schedules:
- •How do you demonstrate that integrity validation has been active and effective across all resources over the past 90 days?
- •Is integrity validation data (baseline status, validation results, failure counts) available via API or dashboard?
- •How do you detect when integrity validation coverage drops — for example, when new resources are deployed without signed baselines?
- •What evidence shows integrity validation failures in the past year were investigated, root-caused, and remediated?
Update History
Ask AI
Configure your API key to use AI features.